{ "id": "710f3248-48fe-40f6-9f0b-a7205d5d9bbd", "created_at": "2026-04-06T00:09:04.016573Z", "updated_at": "2026-04-10T03:33:57.058574Z", "deleted_at": null, "sha1_hash": "69a765103c20a13080b84838db5d65b09953e295", "title": "REvil / Sodinokibi: The Crown Prince of Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3462594, "plain_text": "REvil / Sodinokibi: The Crown Prince of Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 13:57:16 UTC\r\nResearch By: Tom Fakterman\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWhat is Sodinokibi RANSOMWARE?\r\nIn April of 2019, the Cybereason Nocturnus team encountered and analyzed a new type of ransomware dubbed\r\nREvil/Sodinokibi. REvil/Sodinokibi is highly evasive, and takes many measures to prevent its detection by\r\nantivirus and other means.\r\nThe authors of REvil/Sodinokibi have previously been connected to the same authors of the prolific GandCrab\r\nransomware, which was recently retired. GandCrab is responsible for 40% of all ransomware infections globally.\r\nIf the association is accurate, GandCrab sets a good example for just how impactful REvil/Sodinokibi may\r\nbecome.\r\nRansomware remains a huge business risk to organizations in many vectors. Highly evasive ransomware such as\r\nREvil/Sodinokibi and GandCrab are the cause of huge damage to organizations each year.\r\nIn this report we analyze the attack and malware, and offer security recommendations for defenders to consider\r\nwhen coming up against this attack.\r\nWHO IS BEHIND SODINOKIBI?\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 1 of 19\n\nInitially, most of the REvil / Sodinokibi attacks were observed in Asia. Although recently Europe became one of\r\nthe significant affected regions.\r\nWhen the ransomware first emerged, it exploited vulnerabilities in servers and other critical assets of SMBs. As\r\ntime went by, we saw other infection vectors such as phishing and exploit kits.\r\nDuring our investigation, we also encountered several instances where the REvil / Sodinokibi ransomware\r\npurposefully searches for an AV made by the  South Korean security vendor \"Ahnlab\" in the infected machine in\r\norder to inject its malicious payload to the trusted AV vendor.\r\nThere is evidence presented in this research and by previous vendors that suggests that the REvil / Sodinokibi\r\nransomware was created by the same group as the prolific GandCrab ransomware.\r\nSecurity Recommendations\r\nDo not download files from suspicious sources or click on suspicious links.\r\nMake regular backups of important files, both locally and externally in the cloud.\r\nEnable PowerShell prevention in the Cybereason solution.\r\nActivate Cybereason anti-ransomware in Prevention mode to detect and prevent this threat and other, similar\r\nthreats.\r\nTable of Contents\r\nIntroduction\r\nAnalysis of the Attack\r\nLoader Phase One: The UAC Bypass\r\nLoader Phase Two: Injection to Ahnlab\r\nThe Sodinokibi Payload\r\nConclusion\r\nMITRE ATT\u0026CK Technique Breakdown\r\nIndicators of Compromise\r\nIntroduction\r\nIn April of 2019, the Cybereason Nocturnus team encountered several instances where REvil / Sodinokibi was\r\ndropped to the target machine via a malicious link as a zip file containing malicious JavaScript.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 2 of 19\n\nThough the Cybereason solution prevented the ransomware, we have seen it successfully execute in other\r\norganizations. It is able to completely incapacitate a business by preventing the access of data and critical assets of\r\na target machine, among other damage. As of now, the malware does not have the capability to self-propagate, but\r\nonce that is implemented, it could extend its impact across a network.\r\nWhen first discovered in late April, REvil / Sodinokibi (AKA Sodin) was reported as being installed on machines\r\nby exploiting an Oracle WebLogic vulnerability (CVE-2019-2725) and subsequently started propagating through\r\nexploit kits and spam. \r\nIn this blog post, we perform a deep technical analysis of the Sodinokibi ransomware, focusing on the ransomware\r\ndelivery method as well as the defensive mechanisms put in place by the malware authors in order to evade AV\r\ndetection. \r\nThis malware showcases a resurgence of ransomware we have been tracking in the industry. Though some have\r\nreported ransomware attacks decreasing, we are seeing that ransomware is here to stay. In fact, ransomware attack\r\npayments have doubled in the second quarter of this year. Organizations need security products that are able to\r\ndefend against the latest attacks in order to stay on top and detect and prevent successfully.\r\nDuring our analysis, we have noticed interesting similarities between the GandCrab ransomware, whose operators\r\nclaimed in June 2019 that they are retiring and discontinuing their operation. Our findings bode well with other\r\nreports by other security researchers that also found similarities between the two ransomware.\r\nHOW IS SODINOKIBI DELIVERED?\r\nAnalysis of the Attack\r\nThe initial infection vector used by the threat actor is a phishing email containing a malicious link. When pressed,\r\nthe link downloads a supposedly legitimate zip file that is actually malicious. REvil / Sodinokibi zip files have a\r\nvery low detection rate on VirusTotal, which signals that the majority of antivirus vendors do not flag the initial\r\npayload as malicious.\r\nSince the initial REvil / Sodinokibi payload is able to pass undetected, the first layer of defense for many\r\norganizations is immediately bypassed:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 3 of 19\n\nThe REvil / Sodinokibi zip file detection rate on VirusTotal is quite low.\r\nThe zip file contains an obfuscated JavaScript file. When the user double clicks on the JavaScript file, WScript\r\nexecutes it:\r\nWScript executing malicious JavaScript.\r\nThe first stage process tree as seen in the Cybereason solution.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 4 of 19\n\nThe JavaScript file de-obfuscates itself by rearranging characters from a list called eiculwo, which is located in the\r\nJavaScript file:\r\nThe first half of the obfuscated JavaScript file.\r\nThe variable vhtsxspmssj, located in the JavaScript file, is an obfuscated PowerShell script that will be de-obfuscated by the attackers later on in the attack:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 5 of 19\n\nThe de-obfuscated JavaScript file.\r\nThe JavaScript file de-obfuscates the variable vhtsxspmssj, mentioned earlier as the PowerShell script, and saves it\r\nin the directory temp with the name jurhtcbvj.tmp.\r\nNote: We have encountered variants of the malware where the script downloads the secondary payload instead of\r\nembedding it within the initial script.\r\nThe file jurhtcbvj.tmp is a PowerShell script filled with multiple unnecessary exclamation marks, most likely to\r\nfurther obfuscate itself. The JavaScript file launches a PowerShell command to remove the exclamation marks and\r\nexecute the PowerShell script:\r\nThe contents of the obfuscated PowerShell script jurhtcbvj.tmp.\r\nThe command to replace exclamation marks and execute the PowerShell script.\r\nThe PowerShell script decodes an additional script that is Base64-encoded and executes it. The decoded script\r\ncontains a .NET module also encoded with Base64, which is subsequently decoded and loaded into the\r\nPowerShell process memory. Once loaded, it executes the function Install1:\r\nThe decoded script decrypting and loading module test.dll into memory.\r\nThe module test.dll is one of many layers of this delivery process. The function Install1 contains yet another\r\nmodule encoded with Base64. The function decodes the module and loads it into memory:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 6 of 19\n\nBase64-encoded module Install1.\r\nLoading the module Install1 into memory.\r\nIf the malware was unable to gain high enough privileges, it will attempt a User Access Control bypass.\r\nLoader Phase One: The UAC Bypass\r\nThe module loaded into memory functions as a loader for the next phase of the malware. The module uses\r\nCheckTokenMembership to confirm the processes’ privileges. If the processes’ privileges are insufficient, it tries\r\nto bypass User Access Control (UAC). In order to bypass UAC, the malware writes itself to the registry key\r\nSoftware\\Classes\\mscfile\\shell\\open\\command\\ and launches a new instance of explorer.exe to execute\r\nCompMgmtLauncher.exe:\r\nCreating the registry key and launching CompMgmtLauncher.exe.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 7 of 19\n\nExplorer.exe is used to launch ComMgmtLauncher.exe.\r\nWhen CompMgmtLauncher.exe is executed, it executes anything configured in the registry key\r\nSoftware\\Classes\\mscfile\\shell\\open\\command\\. In this instance, it is executing the same PowerShell command\r\nexecuted earlier to replace exclamation marks and execute the PowerShell script, but with higher privileges:\r\nThe registry key creation in order to bypass UAC.\r\nThe process is now being executed with the highest privileges, and the attack continues:\r\nThe process tree after the UAC bypass as seen in the Cybereason solution.\r\nThe loader module is loaded into memory and checks again for privileges. This time, it has sufficient privileges\r\nand continues the attack. Within the loader module resources is an xor encrypted portable executable.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 8 of 19\n\nThe xor encrypted PE.\r\nThe loader loads the portable executable from the resource into memory, decrypts it in memory using the key 7B,\r\nthen executes it:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 9 of 19\n\nThe portable executable in memory before the xor decryption.\r\nThe portable executable in memory after the xor decryption.\r\nLoader Phase Two: Injection to Ahnlab\r\nThe portable executable in memory is the second loader module that will be used for the final payload. In this\r\nphase, the malware attempts to inject the ransomware payload into an Ahnlab antivirus process.\r\nIn order to do so, the second loader checks to see if Ahnlab antivirus is installed on the target machine. If the\r\nAhnlab V3 Lite software service V3 Service exists, it checks if the file autoup.exe is available. autoup.exe is part of\r\nthe Ahnlab Updater and is vulnerable to attack.\r\nThe GandCrab authors have been reported to be bitter with Ahnlab. Given this, it is interesting to note that REvil /\r\nSodinokibi specifically searches for Ahnlab and attempts to use it for the attack:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 10 of 19\n\nThe malware checking for the Ahnlab antivirus.\r\nThe path string for autoup.exe.\r\nIf the malware is able to find the Ahnlab service and executable, the loader automatically launches the autoup.exe\r\nprocess in a suspended state and attempts to inject the REvil / Sodinokibi payload into it via process hollowing.\r\nIf the Ahnlab antivirus is not installed on the machine, the loader will launch a separate instance of the current\r\nPowerShell process in a suspended state and try to inject the REvil / Sodinokibi payload into it via process\r\nhollowing.\r\nThe payload is stored in the module resources as an xor-encrypted portable executable with key 7B:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 11 of 19\n\nThe xor encrypted portable executable.\r\nThe Sodinokibi Payload\r\nThe malware stores encrypted configuration data with RC4 encryption in the .grrr. The name differs among\r\nvarious malware variants:\r\nThe sections of the REvil/Sodinokibi payload.\r\nThe configuration file contains information about which folders, files, and file extensions to exclude from\r\nencrypting. It also contains information on which processes to kill, which services to delete, how to escalate\r\nprivileges with CVE-2018-8453, how to communicate with C2s, and ransom note to display:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 12 of 19\n\nThe configuration file for REvil / Sodinokibi.\r\nREvil / Sodinokibi identifies which keyboard languages are configured using GetKeyboardLayoutList. It checks\r\nthe primary language ID with a switch case. If one of the chosen languages is configured, the malware shuts\r\ndown. The malware authors do not want to ransom files from the specific set of countries seen in the switch case\r\nbelow.\r\nIn this REvil / Sodinokibi variant, a check for Syrian was added, along with new checks for the system language\r\nusing GetSystemDefaultUILanguage and GetUserDefaultUILanguage:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 13 of 19\n\nThe switch case for the primary language ID.\r\nOnce the language checks pass, the malware continues its execution. It deletes shadow copies from the machine\r\nwith vssadmin.exe to make file recovery more difficult:\r\nShadow copy deletion with vssadmin.exe.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 14 of 19\n\nThe ransomware iterates through all folders on the machine, encrypts all files, and drops a ransom note in each\r\nfolder. Once it has finished encryption, it changes the desktop wallpaper to help inform the user of the attack:\r\nThe new wallpaper after the ransomware encrypts the files.\r\nThe ransom note for the ransomware.\r\nAfter the malware encrypts the files on the target machine, it tries to establish communication with a C2 server. In\r\norder to generate the URL for the C2, it iterates through a list of domains configured in the previously decoded\r\nconfiguration file:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 15 of 19\n\nThe domain list from the configuration file.\r\nThe malware creates several random URLs using the domains with a combination of hard-coded and randomly\r\ngenerated strings. A recent report by Tesorion covers the similarities in the way REvil / Sodinokibi and GandCrab\r\ngenerate random URLs, which further strengthens suspicions of a potential shared author:\r\nThe hard-coded strings for random URL generation.\r\nOnce the URLs are generated, the malware sends encrypted machine information to each of the domains including\r\nusernames, machine name, domain name, machine language, operating system type, and CPU architecture:\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 16 of 19\n\nThe data sent to the C2 server before encryption.\r\nWhen the user clicks on the ransom note and enters the key, a page appears that lists the price they must pay in\r\nbitcoin to retrieve their files:\r\nThe Tor browser ransom note.\r\nThe Cybereason anti-ransomware solution identified the threat and mitigated the incident before any damage was\r\ncaused:\r\nThe Cybereason anti-ransomware solution detects and prevents the REvil/Sodinokibi ransomware.\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 17 of 19\n\nConclusion\r\nIn this blog, we took a deep dive into the REvil / Sodinokibi ransomware infection process, and showed that even\r\nthough the obfuscation techniques used by the ransomware authors are quite simple,  they are still proving to be\r\nvery effective in bypassing most antivirus vendors.\r\nOur analysis further supports the suspicion that the threat actors behind the REvil / Sodinokibi ransomware are the\r\nsame allegedly retired authors who created the GandCrab ransomware, based on findings detailed in this report,\r\nsuch as: similarities in the language and countries whitelist (Russian-speaking countries and even Syrian Arabic),\r\nthe “revengeful” targeting of an Ahnlab product for process injection,  and the similarities in the URL-generation\r\nroutine. \r\nSince April 2019, the REvil / Sodinokibi ransomware has become very prolific and has become the 4th most\r\ncommon ransomware within less than 4 months after its first appearance. It has since gone through several minor\r\nupdates, and it is our assessment that its industrious authors will continue to develop the ransomware, adding more\r\nfeatures and improving its evasive capabilities. \r\nMITRE ATT\u0026CK TECHNIQUES BREAKDOWN\r\nInitial Access Execution\r\nPrivilege\r\nEscalation\r\nDefense Evasion Impact\r\nSpearphishing\r\nLink\r\nCommand-Line\r\nInterface\r\nAccess Token\r\nManipulation\r\nDeobfuscate/Decode\r\nFiles or Information\r\nData\r\nEncrypted for\r\nImpact\r\nSpearphishing\r\nAttachment\r\nExecution\r\nthrough Module\r\nLoad\r\nBypass User\r\nAccount Control\r\nDisabling Security Tools\r\nInhibit\r\nSystem\r\nRecovery\r\nExploit Public-Facing Application\r\nPowerShell\r\nExploitation for\r\nPrivilege\r\nEscalation\r\nProcess Hollowing  \r\n  User Execution      \r\n  Scripting      \r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 18 of 19\n\nIndicators of Compromise\r\nJava Script\r\nMD5 - 3e974b7347d347ae31c1b11c05a667e2\r\nSHA1 - 2cc597d6bffda9ef6b42fed84f7a20f6f52c4756\r\nJurhrtcbvj.tmp\r\nMD5 - e402d34e8d0f14037769294a15060508\r\nSHA1 - b751d0d722d3c602bcc33be1d62b1ba2b0910e03\r\nTest.dll\r\nMD5 - 8ea320dff9ef835269c0355ca6850b33\r\nSHA1 - f9df190a616653e2e1869d82abd4f212320e9f4b\r\nsodinokibi_loader_1.dll\r\nMD5 - 7d4c2211f3279201599f9138d6b61162\r\nSHA1 - ee410f1d10edc70f8de3b27907fc10fa341f620a\r\nsodinokibi_loader_2.dll\r\nMD5 - 613dc98a6cf34b20528183fbcc78a8ee\r\nSHA1 - 5cd8eadcd70b89f6963cbd852c056195a17d0ce2\r\nsodinokibi_payload.exe\r\nMD5 - b488bdeeaeda94a273e4746db0082841\r\nSHA1 - 5dac89d5ecc2794b3fc084416a78c965c2be0d2a\r\nSource: https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nhttps://www.cybereason.com/blog/the-sodinokibi-ransomware-attack\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" ], "report_names": [ "the-sodinokibi-ransomware-attack" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/69a765103c20a13080b84838db5d65b09953e295.pdf", "text": "https://archive.orkl.eu/69a765103c20a13080b84838db5d65b09953e295.txt", "img": "https://archive.orkl.eu/69a765103c20a13080b84838db5d65b09953e295.jpg" } }